Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Nuclear Regulatory Commission Computer Security Office CSO Office Instruction"

Transcription

1 Nuclear Regulatory Commission Computer Security Office CSO Office Instruction Office Instruction: Office Instruction Title: CSO-PLAN-0100 Enterprise Risk Management Program Plan Revision Number: 1.0 Effective Date: October 25, 2013 Primary Contacts: Responsible Organization: Summary of Changes: Training: ADAMS Accession No.: Kathy Lyons-Burke, SITSO CSO/PST CSO-PLAN-0100, Enterprise Risk Management Program Plan, provides the high-level plan to implement and maintain an NRC Cyber Security Enterprise Risk Management Program. As needed ML13266A290 Concurrences Primary Office Owner Policy, Standards, and Training Responsible SITSO Kathy Lyons-Burke Date of Concurrence Directors CSO Tom Rich /RA/ 07-Oct-13 PST Kathy Lyons-Burke /RA/ 07-Oct-13 FCOT Kathy Lyons-Burke /RA/ 07-Oct-13 CSA Thorne Graham /RA/ 07-Oct-13 Concurrence Meeting Conducted on 07-Oct-13 Attendees: Thomas Rich Jon Feibus Kathy Lyons-Burke

2 U.S. Nuclear Regulatory Commission NRC Enterprise Risk Management (ERM) Program Plan Version 1.0 October 7, 2013

3 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page ii Contents 1 Introduction Purpose Scope Relationship to Other Cyber Security Risk Activities Approach Develop an ERMP Communication Plan Develop an ERM Blueprint Execute ERM Implementation Phases References Program Overview Overall Goal and Objectives Phase 1: Agency-wide Cyber Security Oversight Activities Phase 2: IT Infrastructure Implementations Phase 3: Regional Implementations Phase 4: Remaining NRC Cyber Risk Related Activities Work Breakdown Structure Program Deliverables Program Organization Program Roles and Responsibilities Stakeholders... 9 Appendix A Acronyms... 12

4 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 1 1 INTRODUCTION This plan explains how the Computer Security Office (CSO) plans to implement the Enterprise Risk Management (ERM) Program at the Nuclear Regulatory Commission (NRC) such that the program complies with National Institute of Standards and Technology (NIST) Special Publication (SP) , Managing Information Security Risk, Organization, Mission, and Information System View. 1.1 Purpose The purpose of the ERM Program (ERMP) is to enable the agency to manage enterprise cyber security risk more effectively. The ERMP addresses the use of NRC cyber systems and cyber relevant assets from a risk management perspective, ensuring the safe, reliable, and costeffective use of cyber throughout the agency to achieve mission objectives. 1.2 Scope The ERMP addresses all risk management capabilities and responsibilities related to cyber systems and cyber-relevant capabilities within NRC. Capabilities may include, but are not limited to, policies, processes, procedures, technologies, standards, and training. Initially, the ERMP efforts focus on agency-wide cyber security oversight activities, with the intent of achieving cost-effective and efficient reduction of risk to the NRC. The ERMP effort then gradually expands to address the next greatest area of risk, until all aspects of cyber security risk at NRC have been addressed. 1.3 Relationship to Other Cyber Security Risk Activities The ERMP examines all existing cyber security risk activities for improvements and ensures that NRC effectively employs cyber risk capabilities such as system authorization, continuous monitoring, the cyber risk dashboard, the business area risk assessments, and continuous diagnostics and mitigation activities. 1.4 Approach A blueprint detailing the individual elements of a NIST compliant ERM Program will be developed. The blueprint will be used and refined as each phase of the ERM Program implementation is executed Develop an ERMP Communication Plan A communication plan outlining methods that will be used to communicate implementation of ERM capabilities and changes to existing process, procedures, etc. will be developed. Methods that will be used for communication include, but are not limited to the following: Designated Approving Authority (DAA) briefings IPEC briefings Information Technology (IT) Architecture Council briefings One-page summaries for office directors ISSO Forum briefings CSO web page and SharePoint postings

5 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page Develop an ERM Blueprint An ERM Blueprint will be developed, as described in Section 2.7 Program Deliverables. Initially, the blueprint will identify high-level elements of the ERM Program; as each phase is executed, additional details will be provided based on lessons learned and information obtained during execution of previous phases. The objective of the blueprint is to show how individual elements of the program support other elements, and ultimately, to define the target state of the ERM Program. The blueprint will provide context to ERM stakeholders and program practitioners for key program activities Execute ERM Implementation Phases CSO will implement the ERM Program in four iterative phases. Each phase will build on the previous phase, adding appropriate representatives and applying lessons learned as the program is implemented throughout the agency. The first four phases of the ERM Program will be implemented as follows: Phase 1: Agency-wide Cyber Security Oversight Activities Phase 2: IT Infrastructure Implementations Phase 3: Regional Implementations Phase 4: Remaining NRC Cyber Risk Related Activities The following activities will be conducted during each of the four implementation phases: Expand the ERM Blueprint: Expand the ERM Blueprint to provide details concerning program implementation for each phase. As details are provided for each phase, the ERM Blueprint will increasingly describe the target state of the ERM Program. This activity results in a report that identifies the ERM elements that must exist within the NRC to achieve an effective and compliant risk management program. An iterative version of the report is produced after each phase. Document the ERM Baseline and Assess Gaps: Evaluate current risk management capabilities for each activity during each phase. Determine the degree to which existing capabilities already satisfy those required in the ERM Blueprint, and identify any gaps that remain. This results in a report that identifies the baseline and the gaps between the baseline and the blueprint. Within each phase, a report is produced identifying the baseline first, and then the report is augmented to identify the gaps. Develop ERM Program Portfolio: Develop a portfolio of programs and alternatives to be used to address the identified gaps; prioritize the programs and alternatives, sequence them for dependencies, and present them to senior leadership for approval. The ERM Program Portfolio is comprised of discrete programs during which tasks are completed for the purpose of implementing CSO approved recommendations identified in the ERM Gap Analysis Report. The programs are defined and sequenced so that as any one is completed it provides benefit to the agency and that cumulative benefit is achieved as related programs are completed. Address Gaps: As programs and alternatives are approved by senior leadership, coordinate and oversee the execution of each program or alternative to ensure that each objective is accomplished (i.e., gap is closed) within the planned timeframes.

6 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 3 Plan Next Phase: Planning for the next phase (e.g., developing program plans and scheduling required activities) will take place concurrent with gap closure. After Phase 4 is complete, the ERM Program will enter a fifth phase during which the mechanisms for long-term maintenance and continuous improvement of the program will be established. Once established, this program is complete and the ERMP transitions to ongoing maintenance. 1.5 References At a minimum, the following resources will be used when developing the ERMP: NIST SP (Revision 1) Guide for Developing Security Plans for Federal Information Systems, February 2006 NIST SP (Revision 1) Guide for Conducting Risk Assessments, September 2012 NIST SP (Revision 1) Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010 NIST SP Managing Information Security Risk Organization, Mission, and Information System View, March 2011 NIST SP (Revision 4) Recommended Security Controls for Federal Information Systems and Organizations, May 2013 NIST SP A (Revision 1) Guide for Assessing the Security Controls in Federal Information Systems and Organizations, June 2010 NIST SP (Revision 1) Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008 NIS SP (Revision 2) National Checklist Program for IT Products Guidelines for Checklist Users and Developers, February 2011 FIPS PUB-199 Standards for Security Categorization of Federal Information and Information Systems, February 2004 FIPS PUB-200 Minimum Security Requirements for Federal Information and Information Systems, March 2006 The following resources may also be used when relevant and appropriate: ISO-31000:2009 Risk Management Principles and Guidelines DHS Risk Lexicon, 2010 Edition, September 2010 Risk Management Fundamentals, Homeland Security Risk management Doctrine, April PROGRAM OVERVIEW This section provides an overview of CSO s ERMP.

7 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page Overall Goal and Objectives The primary goal of the NRC ERMP is to enable more consistent, complete, agile, and costeffective risk management practices throughout the agency by unifying and standardizing risk management activities related to cyber systems and cyber-relevant capabilities. Objectives include: Ensuring that the organization s risk management capabilities are repeatable and effectively used throughout the agency s information systems; Fostering an organizational climate where information security risks are considered within the context of the agency s mission and business processes; Guiding individuals responsible for deployment and maintenance of cyber systems to better understand how information security risk can impact them, their systems, other systems, and the agency as a whole; and, Identifying and implementing processes that allow for consistent feedback and continuous improvement of the ERMP. 2.2 Phase 1: Agency-wide Cyber Security Oversight Activities The goal of the first phase is to identify the ERM cyber security oversight capabilities that can maximize the value of the ERMP as a whole. The ERM Team will identify and implement the risk management capabilities that may require the least effort with maximum risk management benefits to the agency. Implementation of these capabilities will demonstrate the value of the ERMP throughout the agency. The ERM Team will also focus on high priority activities, including: Development of formal, agency-specific mission impact definitions; Development of refined security categorization definitions and guidance; Development of enhanced CSO processes, procedures, and templates, to include: - Identifying those that do not exist. - Identifying those that need to be revised. - Developing processes, procedures and templates that support efficient execution of cyber security tasks. Identification of standards, processes, procedures, and templates that should be removed; Identification of high impact risks that can be resolved with the least amount of effort (using data available within CSO); Identification of more streamlined user friendly capabilities that better enable staff to complete cyber security tasks; Identification through an analysis of aggregated Plans of Actions and Milestones (POA&M) of patterns and trends, including those that result in the greatest agency risk; Identification through an analysis of aggregated risk assessments of patterns and trends, including those that result in the greatest agency risk; Identification of improvements in cyber security control implementation;

8 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 5 Identification of additional functionality that could be incorporated into existing tools to more efficiently execute cyber security tasks; Establishing processes to ensure increased consistency during cyber security testing, tool usage, and tool-configuration settings; Supporting increased automation for security control assessment on an ongoing basis to reduce the manual burden and to enable increased assessment frequency; Developing a more comprehensive set of standardized system security requirements; and, Increasing efficiency by linking the standardized system security requirements to the standardized controls. 2.3 Phase 2: IT Infrastructure Implementations The goal of the second phase is to identify the ERM capabilities that can be implemented within IT infrastructure activities and operations with the intent to reduce cyber security risk. The ERM Team will incorporate IT infrastructure representatives and will order the infrastructure implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. IT infrastructure staff will implement the most advantageous capabilities in collaboration with CSO. 2.4 Phase 3: Regional Implementations The goal of the third phase is to identify the ERM capabilities that can be implemented within regional activities and operations with the intent to reduce cyber security risk. The ERM Team will incorporate regional representatives and will order the regional implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. Regional staff will implement the most advantageous capabilities in collaboration with CSO. 2.5 Phase 4: Remaining NRC Cyber Risk Related Activities The goal of the last phase is to identify the ERM capabilities that can be implemented within cyber security relevant activities across all part of NRC with the intent to reduce cyber security risk. The ERM Team will incorporate cross-agency representatives and will order the implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. Approproate staff will implement the most advantageous capabilities in collaboration with CSO. 2.6 Work Breakdown Structure This section provides an overview of the key tasks involved in implementing the ERM program. Planning and Preparation 1. Develop ERM Plan a. Develop the initial ERM Plan. b. Conduct an internal CSO review of the plan. c. Obtain approval of the initial ERM Plan from the Policy, Standards, and Training (PST) Senior IT Security Officer (SITSO) and the Chief Information Security Officer (CISO).

9 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 6 2. Finalize ERM Blueprint a. Complete the initial ERM Blueprint using NIST SP Managing Information Security Risk: Organization, Mission and Information System View, March 2011 as the primary resource. b. Conduct an internal CSO review of the blueprint. c. Obtain approval of the initial ERM Blueprint from the PST SITSO and the CISO. Phase 1: Agency-wide Cyber Security Oversight Activities 1. Update the ERM Blueprint with CSO specific elements a. Identify the CSO-specific elements of the ERM Blueprint that must be evaluated to address ERM within the CSO. b. Describe each element and define requirements specific to the CSO that must be met to fully satisfy the element. c. Facilitate a CSO review of the defined elements. d. Finalize the CSO-elaborated version of the ERM Blueprint. 2. Document the Baseline and Assess Gaps for CSO a. Gather information already available to the contractor, and conduct interviews with the contractor s team to identify the current ERM baseline for CSO. b. Assess the CSO baseline against the requirements defined for each CSO specific element identified in the ERM Blueprint. i. Identify the degree to which the ERM Blueprint requirements are already satisfied by the CSO baseline, and identify any gaps that remain. ii. Provide options and recommendations for addressing and remediating the gaps. c. Facilitate a CSO review of the gap analysis. 3. Develop an ERM Program Portfolio for CSO a. Sequence and prioritize the CSO gap remediation recommendations, and identify them as short-, mid-, or long-term efforts. b. Establish a portfolio of discrete programs defined to implement the CSO approved recommendations. For each program: i. Estimate timeframes. ii. Identify tasks and dependencies. iii. Identify CSO staff that may be required to perform the task. c. Facilitate a CSO review. d. Formalize each program. e. Obtain approval to execute the program. 4. Execute the CSO ERM programs to address gaps a. Monitor and coordinate efforts throughout the program portfolio. For each program:

10 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 7 i. Engage the appropriate CSO leads. ii. Identify a program lead and practitioners. iii. Facilitate a kick-off meeting. iv. Conduct periodic program status reviews. v. Monitor schedule, budget, and outcomes. vi. Ensure consistency throughout the program portfolio. 5. Plan Phase 2: IT Infrastructure Implementations a. Revise the ERM Plan for implementation throughout IT Infrastructure Implementations. i. Consider lessons learned during Phase 1. ii. Update the program schedule. b. Facilitate a CSO review. c. Engage OIS and coordinate the activities required for Phase 2. Phase 2: IT Infrastructure Implementations 1. Update the ERM Blueprint with OIS specific elements. 2. Document the OIS baseline and conduct a gap analysis of the OIS portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for OIS. 4. Execute the OIS ERM programs to address gaps. 5. Plan Phase 3: Regional Implementations. Phase 3: Regional Implementations 1. Update the ERM Blueprint with Region specific elements. 2. Document the baseline for the NRC Regions and conduct a gap analysis of the Regionbased portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for the NRC Regions. 4. Execute the Regional ERM programs to address gaps. 5. Plan Phase 4: ERM Implementation for the Remaining NRC Cyber Risk Related Activities. Phase 4: Remaining NRC Cyber Risk Related Activities 1. Update the ERM Blueprint with organization specific elements. 2. Document the baseline for the NRC regions and conduct a gap analysis of each organization s portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for the organizations.

11 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 8 4. Execute the organizational ERM programs to address gaps. Phase 5: ERM Planning and Maintenance Phase 1. Finalize all ERM Program documentation. 2. Plan for ongoing maintenance and continuous improvement of the ERMP. ERM Ongoing Maintenance and Continuous Improvement 1. Identify long-term custodian(s) for the ERMP. 2. Develop and/or refine business processes to ensure continuous improvement of ERM. 3. Implement the processes and/or process changes. 2.7 Program Deliverables Table 1 lists the ERM Program deliverables. Table 1: ERM Program Deliverables Deliverable ERM Program Plan Initial ERM Program Plan: November 29, 2013 Target Delivery Date Phase 2-4 ERM Program Plan Updates: TBD ERM Communication Plan Initial ERM Communication Plan: December 16, 2013 ERM Blueprint Phase 2-4 ERM Program Plan Updates: TBD Initial ERM Blueprint: January 30, 2014 Phase 1 ERM Blueprint: March 28, 2014 Phase 2-4 ERM Program Plan Updates: TBD ERM Baseline Portion of Gap Analysis Report Phase 1 ERM Baseline Report: February 28, 2014 ERM Gap Analysis Report Phase 2-4 ERM Baseline: TBD CSO specific Results and Recommendations: March 17, 2014

12 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 9 Table 1: ERM Program Deliverables Deliverable ERM Program Portfolio Target Delivery Date Phase 2-4 ERM Program Plan Updates: TBD CSO specific Program Portfolio: April 30, 2014 Phase 2-4 ERM Program Plan Updates: TBD 3 PROGRAM ORGANIZATION This section defines the ERM roles, responsibilities, and stakeholders for Phase 1 of the ERM Program. Roles, responsibilities, and stakeholders will be reviewed and revised as needed during each phase of program implementation. 3.1 Program Roles and Responsibilities Table 2 lists the roles and responsibilities for Phase 1 of the ERM Program. Table 2: ERM Program Roles and Responsibilities CISO Roles PST SITSO ERM Project Team Leader Technical Program Manager CSO Members CSO Support Contractor Program Responsibilities Provides executive leadership of the ERMP and acts as the ERMP champion. The PST SITSO oversees the ERMP; approves ERM-related plans, processes, and procedures; and supports senior management stakeholder activities. The ERM Team Project Leader leads the ERMP implementation; tracks and provides oversight and support for ERM-related activities; reviews ERM-related plans, processes, and procedures; and supports senior management stakeholder activities. Establishes and implements program plan, with the goal of keeping the program on schedule and within budget, and notifies the ERM Team Leader of any schedule or budget concerns. The Technical Program Manager also communicates business and technical requirements, tasks, and deliverables to the CSO Support Contractor; provides budget updates and requests to the ERM Team Leader; reviews contractor deliverables; provides comment prior to submitting to CSO senior management for review and approval; and supports technical staff stakeholder activities. Support the Technical Program Manager with requirements identification, ERM related process and procedure updates, gap analysis, and review of contractor deliverables. Also supports technical staff stakeholder activities. Supports the Technical Program Manager with requirements identification, ERM related process and procedure updates, and gap analysis. 3.2 Stakeholders Stakeholders for Phase 1 of the ERM Program are the DAA, Chief Information Officer (CIO), CISO, CSO, and system owners.

13 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 10 Stakeholders for subsequent phases will be identified in this plan as each phase takes place, and will include OIS, System Owners (SOs), the DAA, and agency Lines of Businesses (LOB).

14 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 11 CSO Enterprise Risk Management Program Plan Change History Date Version Description of Changes Method Used to Announce & Distribute Training 06-Nov Initial issuance Posting on CSO web page Upon request

15 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 12 Appendix A Acronyms Term CIO CISO CSO DAA ERM ERMP IPEC IT LOB NRC OIS POA&M PST SITSO SO Definition Chief Information Officer Chief Information Security Officer Computer Security Office Designated Approving Authority Enterprise Risk Management Enterprise Risk Management Program IT/IM Portfolio Executive Council Information Technology Line of Business Nuclear Regulatory Commission Office of Information Services Plan of Action and Milestones Policy, Standards & Training Senior Information Technology Security Officer System Owners

Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter

Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter Title: CSO Enterprise Security Architecture Working Group Charter Revision Number: 1.0 Effective

More information

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 Cybersecurity Risk Management Activities Instructions Fiscal Year 2015 An effective risk management program and compliance with the Federal Information Security Management Act (FISMA) requires the U.S.

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-2105 Remote Access Security Standard Revision Number: 1.0 Effective

More information

MD 12.5 NRC CYBER SECURITY PROGRAM DT-13-15

MD 12.5 NRC CYBER SECURITY PROGRAM DT-13-15 U.S. NUCLEAR REGULATORY COMMISSION MANAGEMENT DIRECTIVE (MD) MD 12.5 NRC CYBER SECURITY PROGRAM DT-13-15 Volume 12: Approved By: Security R. W. Borchardt Executive Director for Operations Date Approved:

More information

Overview. FedRAMP CONOPS

Overview. FedRAMP CONOPS Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1.

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1. State of Minnesota Enterprise Security Program Policy Office of Enterprise Technology Version 1.00 Approval: Gopal Khanna (Signature on file with the ESO) 06/22/2009 State Chief Information Officer Signature

More information

NARA s Information Security Program. OIG Audit Report No. 15-01. October 27, 2014

NARA s Information Security Program. OIG Audit Report No. 15-01. October 27, 2014 NARA s Information Security Program OIG Audit Report No. 15-01 October 27, 2014 Table of Contents Executive Summary... 3 Background... 4 Objectives, Scope, Methodology... 7 Audit Results... 8 Appendix

More information

Value to the Mission. FEA Practice Guidance. Federal Enterprise Architecture Program Management Office, OMB

Value to the Mission. FEA Practice Guidance. Federal Enterprise Architecture Program Management Office, OMB Value to the Mission FEA Practice Guidance Federal Enterprise Program Management Office, OMB November 2007 FEA Practice Guidance Table of Contents Section 1: Overview...1-1 About the FEA Practice Guidance...

More information

2014 Audit of the Board s Information Security Program

2014 Audit of the Board s Information Security Program O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL

More information

Information System Security Officer (ISSO) Guide

Information System Security Officer (ISSO) Guide Information System Security Officer (ISSO) Guide Office of the Chief Information Security Officer Version 10 September 16, 2013 DEPARTMENT OF HOMELAND SECURITY Document Change History INFORMATION SYSTEM

More information

Project Monitoring and Control

Project Monitoring and Control Project Monitoring and Control ProPath Office of Information and Technology Table of Contents Project Monitoring and Control Process Maps... 1 Process: Project Monitoring and Control... 10 Project Monitoring

More information

DIRECTIVE TRANSMITTAL

DIRECTIVE TRANSMITTAL U.S. NUCLEAR REGULATORY COMMISSION DIRECTIVE TRANSMITTAL TN: DT-07-08 To: Subject: Purpose: Office and Division of Origin: NRC Management Directives Custodians Transmittal of Management Directive 2.8,

More information

December 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments

December 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

COMPUTER SECURITY INCIDENT RESPONSE POLICY

COMPUTER SECURITY INCIDENT RESPONSE POLICY COMPUTER SECURITY INCIDENT RESPONSE POLICY 1 Overview The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish computer security incident response capabilities.

More information

Baseline Cyber Security Program

Baseline Cyber Security Program NNSA Policy Letter NAP-14.1-D Approved: Baseline Cyber Security Program NATIONAL NUCLEAR SECURITY ADMINISTRATION Office of Information Management and the Chief Information Officer AVAILABLE ONLINE AT:

More information

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE August 25, 2009 Version

More information

Policy on Information Assurance Risk Management for National Security Systems

Policy on Information Assurance Risk Management for National Security Systems CNSSP No. 22 January 2012 Policy on Information Assurance Risk Management for National Security Systems THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER IMPLEMENTATION

More information

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS Department of Veterans Affairs VA Directive 6004 Washington, DC 20420 Transmittal Sheet September 28, 2009 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS 1. REASON FOR ISSUE: This Directive establishes

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1423 Microsoft Internet Explorer 11 Configuration Standard Revision

More information

GAO MAJOR AUTOMATED INFORMATION SYSTEMS. Selected Defense Programs Need to Implement Key Acquisition Practices

GAO MAJOR AUTOMATED INFORMATION SYSTEMS. Selected Defense Programs Need to Implement Key Acquisition Practices GAO United States Government Accountability Office Report to Congressional Addressees March 2013 MAJOR AUTOMATED INFORMATION SYSTEMS Selected Defense Programs Need to Implement Key Acquisition Practices

More information

OFFICE OF THE CIO. PROCEDURE Informational VERSION: 1.0

OFFICE OF THE CIO. PROCEDURE Informational VERSION: 1.0 OFFICE OF THE CIO PROCEDURE Informational VERSION: 1.0 Purpose Project Management of Major or Large NDUS Information Technology Projects Project Managers Guide/Checklist This procedural process will ensure

More information

Information System Security Officer (ISSO) Guide

Information System Security Officer (ISSO) Guide Information System Security Officer (ISSO) Guide Information Security Office Version 8.0 June 06, 2011 DEPARTMENT OF HOMELAND SECURITY Document Change History INFORMATION SYSTEM SECURITY OFFICER (ISSO)

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)

More information

NASA OFFICE OF INSPECTOR GENERAL

NASA OFFICE OF INSPECTOR GENERAL NASA OFFICE OF INSPECTOR GENERAL OFFICE OF AUDITS SUITE 8U71, 300 E ST SW WASHINGTON, D.C. 20546-0001 April 14, 2016 TO: SUBJECT: Renee P. Wynn Chief Information Officer Final Memorandum, Review of NASA

More information

Project Start Up. Start-Up Check List. Why a Project Check List? What is a Project Check List? Initial Release 1.0 Date: January 1997

Project Start Up. Start-Up Check List. Why a Project Check List? What is a Project Check List? Initial Release 1.0 Date: January 1997 Why a Project Check List? A good way to ensure that all start-up tasks are completed prior to actually starting the project is to develop a start-up check list. The check list can be developed and then

More information

Program Lifecycle Methodology Version 1.7

Program Lifecycle Methodology Version 1.7 Version 1.7 March 30, 2011 REVISION HISTORY VERSION NO. DATE DESCRIPTION AUTHOR 1.0 Initial Draft Hkelley 1.2 10/22/08 Updated with feedback Hkelley 1.3 1/7/2009 Copy edited Kevans 1.4 4/22/2010 Updated

More information

The Fast Track Project Glossary is organized into four sections for ease of use:

The Fast Track Project Glossary is organized into four sections for ease of use: The Fast Track Management Glossary provides a handy reference guide to the fast track management model, encompassing the concepts, steps and strategies used to manage successful projects even in the face

More information

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM PREFACE TO SELECTED INFORMATION DIRECTIVES CIO Transmittal No.: 15-010 CIO Approval Date: 06/12/2015 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 CHIEF INFORMATION

More information

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy

More information

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Information Technology Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program Report.

More information

Table of Contents PERFORMANCE REVIEWS STRATEGIC REVIEWS

Table of Contents PERFORMANCE REVIEWS STRATEGIC REVIEWS SECTION 270 PERFORMANCE AND STRATEGIC REVIEWS Table of Contents 270.1 To which agencies does this section apply? 270.2 What is the purpose of this section? PERFORMANCE REVIEWS 270.3 What is the purpose

More information

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012 Monitoring in a Risk Management Framework US Census Bureau Oct 2012 Agenda Drivers for Monitoring What is Monitoring Monitoring in a Risk Management Framework (RMF) RMF Cost Efficiencies RMF Lessons Learned

More information

Review of the SEC s Systems Certification and Accreditation Process

Review of the SEC s Systems Certification and Accreditation Process Review of the SEC s Systems Certification and Accreditation Process March 27, 2013 Page i Should you have any questions regarding this report, please do not hesitate to contact me. We appreciate the courtesy

More information

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material,

More information

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.2 9/28/11 INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) I. PURPOSE This directive

More information

Office of Inspector General Corporation for National and Community Service

Office of Inspector General Corporation for National and Community Service Office of Inspector General Corporation for National and Community Service FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) INDEPENDENT EVALUATION FOR FY 2013 OIG REPORT 14-03 1201 New York Ave, NW

More information

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness United States Government Accountability Office Report to Congressional Committees September 2013 FEDERAL INFORMATION SECURITY Mixed Progress in Implementing Program Components; Improved Metrics Needed

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION

More information

Audit of the Department of State Information Security Program

Audit of the Department of State Information Security Program UNITED STATES DEPARTMENT OF STATE AND THE BROADCASTING BOARD OF GOVERNORS OFFICE OF INSPECTOR GENERAL AUD-IT-15-17 Office of Audits October 2014 Audit of the Department of State Information Security Program

More information

Strategic Plan Network Optimization & Transport Services 2013-2018

Strategic Plan Network Optimization & Transport Services 2013-2018 Strategic Plan Network Optimization & Transport Services 2013-2018 Office of the Chief Information Officer National Oceanic and Atmospheric Administration United States Department of Commerce Version 2.0

More information

Security Control Standard

Security Control Standard Department of the Interior Security Control Standard Program Management April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information

More information

Security Authorization Process Guide

Security Authorization Process Guide Security Authorization Process Guide Office of the Chief Information Security Officer (CISO) Version 11.1 March 16, 2015 TABLE OF CONTENTS Introduction... 1 1.1 Background... 1 1.2 Purpose... 2 1.3 Scope...

More information

CMS Policy for Information Technology (IT) Investment Management & Governance

CMS Policy for Information Technology (IT) Investment Management & Governance Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS Policy for Information Technology (IT) Investment Management & Governance May 17, 2007 Document Number:

More information

ITS Project Management

ITS Project Management ITS Project Management Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED QUESTIONS

More information

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of the Information Technology Security Controls of the U.S. Office of Personnel Management

More information

HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)

HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC) Office of the Chief Information Officer Office of the Assistant Secretary for Resources and Technology Department of Health and Human Services HHS OCIO Policy for Information Technology (IT) Enterprise

More information

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. Air Traffic Organization Policy

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. Air Traffic Organization Policy U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION Air Traffic Organization Policy ORDER JO 1000.37A SUBJ: Air Traffic Organization Safety Management System Effective Date: 5/30/14 The mission

More information

Audit of NRC s Network Security Operations Center

Audit of NRC s Network Security Operations Center Audit of NRC s Network Security Operations Center OIG-16-A-07 January 11, 2016 All publicly available OIG reports (including this report) are accessible through NRC s Web site at http://www.nrc.gov/reading-rm/doc-collections/insp-gen

More information

U.S. Nuclear Regulatory Commission

U.S. Nuclear Regulatory Commission ADAMS ML14199A294 U.S. Nuclear Regulatory Commission Privacy Impact Assessment Designed to collect the information necessary to make relevant determinations regarding the applicability of the Privacy Act,

More information

Program Management Professional (PgMP) Examination Content Outline

Program Management Professional (PgMP) Examination Content Outline Program Management Professional (PgMP) Examination Content Outline Project Management Institute Program Management Professional (PgMP ) Examination Content Outline April 2011 Published by: Project Management

More information

for Information Security

for Information Security NIST Special Publication 800-55 Revision 1 Performance Measurement Guide for Information Security Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson I N F O R

More information

ClOP CHAPTER 1351.39. Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

ClOP CHAPTER 1351.39. Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1 ClOP CHAPTER 1351.39 Departmental Information Technology Governance Policy TABLE OF CONTENTS Section 39.1 Purpose... 1 Section 39.2 Section 39.3 Section 39.4 Section 39.5 Section 39.6 Section 39.7 Section

More information

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash Information Security Guide For Government Executives Pauline Bowen Elizabeth Chew Joan Hash Introduction Table of Contents Introduction 1 Why do I need to invest in information security? 2 Where do I need

More information

REVIEW OF NASA S MANAGEMENT AND OVERSIGHT

REVIEW OF NASA S MANAGEMENT AND OVERSIGHT SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration

More information

Final. North Carolina Procurement Transformation. Governance Model March 11, 2011

Final. North Carolina Procurement Transformation. Governance Model March 11, 2011 North Carolina Procurement Transformation Governance Model March 11, 2011 Executive Summary Design Approach Process Governance Model Overview Recommended Governance Structure Recommended Governance Processes

More information

LMI Aerospace PROJECT MANAGEMENT PLAN ACCESS REQUEST PROCESS IMPROVEMENT FEBRUARY 7, 2012

LMI Aerospace PROJECT MANAGEMENT PLAN ACCESS REQUEST PROCESS IMPROVEMENT FEBRUARY 7, 2012 PROJECT MANAGEMENT PLAN ACCESS REQUEST PROCESS IMPROVEMENT FEBRUARY 7, 2012 TABLE OF CONTENTS INTRODUCTION... 2 PROJECT MANAGEMENT APPROACH... 2 PROJECT SCOPE... 2 MILESTONE LIST... 2 SCHEDULE BASELINE

More information

Aircraft Certification Service Policy. Aircraft Certification Information Resource Management (IRM) Governance Program

Aircraft Certification Service Policy. Aircraft Certification Information Resource Management (IRM) Governance Program Aircraft Certification Service Policy ORDER 1370.76B Effective Date: 09/28/2009 SUBJ: Aircraft Certification Information Resource Management (IRM) Governance Program 1. Purpose of this Order. a. This order

More information

Project Management Professional (PMP) Examination Content Outline

Project Management Professional (PMP) Examination Content Outline Project Management Professional (PMP) Examination Content Outline Project Management Institute Project Management Professional (PMP ) Examination Content Outline Revised August 2011 Published by: Project

More information

2.0 ROLES AND RESPONSIBILITIES

2.0 ROLES AND RESPONSIBILITIES 2.0 ROLES AND RESPONSIBILITIES This handout describes applicable roles and responsibilities for the Capital Planning and Investment Process (CPIC) as presented in the NIST Integrating IT Security into

More information

April 30, 2004 Report No. 04-019. Enhancements to the FDIC System Development Life Cycle Methodology AUDIT REPORT

April 30, 2004 Report No. 04-019. Enhancements to the FDIC System Development Life Cycle Methodology AUDIT REPORT April 30, 2004 Report No. 04-019 Enhancements to the FDIC System Development Life Cycle Methodology AUDIT REPORT TABLE OF CONTENTS BACKGROUND... 1 RESULTS OF AUDIT... 5 FINDING AND RECOMMENDATIONS Need

More information

Business Architecture Guild Body of Knowledge Handbook 2.0

Business Architecture Guild Body of Knowledge Handbook 2.0 Guild Body of Knowledge Handbook 2.0 ------------------------ Section 1: Introduction The Guild has made this Introduction section of its Body of Knowledge Handbook 2.0 ( Handbook ) publicly available

More information

Section 37.1 Purpose... 1. Section 37.2 Background... 3. Section 37.3 Scope and Applicability... 4. Section 37.4 Policy... 5

Section 37.1 Purpose... 1. Section 37.2 Background... 3. Section 37.3 Scope and Applicability... 4. Section 37.4 Policy... 5 CIOP CHAPTER 37 Departmental Cybersecurity Policy TABLE OF CONTENTS Section 37.1 Purpose... 1 Section 37.2 Background... 3 Section 37.3 Scope and Applicability... 4 Section 37.4 Policy... 5 Section 37.5

More information

BPA Policy 434-1 Cyber Security Program

BPA Policy 434-1 Cyber Security Program B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy

More information

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET

UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT MANUAL TRANSMITTAL SHEET Form 1221-2 (June 1969) UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT Release: 1-1718 Date: MANUAL TRANSMITTAL SHEET Subject 1265 Information Technology Investment Management (ITIM)

More information

Audit of the Board s Information Security Program

Audit of the Board s Information Security Program Board of Governors of the Federal Reserve System Audit of the Board s Information Security Program Office of Inspector General November 2011 November 14, 2011 Board of Governors of the Federal Reserve

More information

Lots of Updates! Where do we start?

Lots of Updates! Where do we start? NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project Management Community Meeting October 18, 2011 .

More information

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS POLICY FOR THE INFORMATION SECURITY PROGRAM FINAL Version 4.0 August 31, 2010 Document Number: CMS-CIO-POL-SEC02-04.0

More information

INFORMATION SECURITY

INFORMATION SECURITY NIST Special Publication 800-65 DRAFT Integrating IT Security into the Capital Planning and Investment Control Process Joan Hash, Nadya Bartol, Holly Rollins, Will Robinson, John Abeles, and Steve Batdorff

More information

Highlights & Next Steps

Highlights & Next Steps USG Cloud Computing Technology Roadmap Highlights & Next Steps NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways

More information

CMS INFORMATION SECURITY ASSESSMENT PROCEDURE

CMS INFORMATION SECURITY ASSESSMENT PROCEDURE Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS INFORMATION SECURITY ASSESSMENT PROCEDURE March 19, 2009 Version 2.0- Final Summary of Changes in CMS

More information

THE STATUS OF ENTERPRISE ARCHITECTURE AND INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT IN THE DEPARTMENT OF JUSTICE

THE STATUS OF ENTERPRISE ARCHITECTURE AND INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT IN THE DEPARTMENT OF JUSTICE THE STATUS OF ENTERPRISE ARCHITECTURE AND INFORMATION TECHNOLOGY INVESTMENT MANAGEMENT IN THE DEPARTMENT OF JUSTICE U.S. Department of Justice Office of the Inspector General Audit Division Audit Report

More information

Subject Area 1 Project Initiation and Management

Subject Area 1 Project Initiation and Management DRII/BCI Professional Practice Narrative: Establish the need for a Business Continuity Plan (BCP), including obtaining management support and organizing and managing the BCP project to completion. (This

More information

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series. Secure Baseline Attachment

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series. Secure Baseline Attachment UNITED STATES PATENT AND TRADEMARK OFFICE AGENCY ADMINISTRATIVE ORDER 212-04 Agency Administrative Order Series Secure Baseline Attachment Date of Issuance: Effective Date: TABLE OF CONTENTS I. Purpose

More information

SECURITY ASSESSMENT AND AUTHORIZATION

SECURITY ASSESSMENT AND AUTHORIZATION SECURITY ASSESSMENT AND AUTHORIZATION INFORMATION SYSTEM SECURITY ASSESSMENT AND AUTHORIZATION PROCESS CHAPTER 02 ITS-HBK-2810.02-02 HANDBOOK EFFECTIVE DATE: 20150201 EXPIRATION DATE: 20180201 RESPONSIBLE

More information

Concept of Operations for Line of Business Initiatives

Concept of Operations for Line of Business Initiatives Concept of Operations for Line of Business Initiatives Version 1.0 Office of E-Gov and IT, OMB March 2006 Table of Contents FOREWORD...2 1 OBJECTIVES OF THE LINES OF BUSINESS CONCEPT OF OPERATIONS...3

More information

U.S. Department of Education Federal Student Aid

U.S. Department of Education Federal Student Aid U.S. Department of Education Federal Student Aid Lifecycle Management Methodology Stage Gate Review Process Description Version 1.3 06/30/2015 Final DOCUMENT NUMBER: FSA_TOQA_PROC_STGRW.NA_001 Lifecycle

More information

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009 U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009 ISD-EV-MOA-0002-2009 Contents Acronyms and Other Reference

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information

2012 FISMA Executive Summary Report

2012 FISMA Executive Summary Report 2012 FISMA Executive Summary Report March 29, 2013 UNITED STATES SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C. 20549 OI'!'ICEOI' lnstfl! C1'0R GENERAt MEMORANDUM March 29,2013 To: Jeff Heslop, Chief

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

Audit of the Data Center Consolidation Initiative at NARA. OIG Draft Audit Report No. 12-09. May 10, 2012

Audit of the Data Center Consolidation Initiative at NARA. OIG Draft Audit Report No. 12-09. May 10, 2012 Audit of the Data Center Consolidation Initiative at NARA OIG Draft Audit Report No. 12-09 May 10, 2012 Table of Contents Executive Summary... 3 Background... 4 Objectives, Scope, Methodology... 7 Audit

More information

ORACLE PROJECT MANAGEMENT

ORACLE PROJECT MANAGEMENT ORACLE PROJECT MANAGEMENT KEY FEATURES Oracle Project Management provides project managers the WORK MANAGEMENT Define the workplan and associated resources; publish and maintain versions View your schedule,

More information

IT Project Governance Manual Version 1.1

IT Project Governance Manual Version 1.1 IT Project Governance Manual Version 1.1 A Mandatory Reference for ADS Chapter 577 New Reference: 04/13/2010 Responsible Office: CIO File Name: 577mak_041310 UNITED STATES AGENCY FOR IT Project Goverance

More information

Company A Project Plan

Company A Project Plan Company A Project Plan Project Name: Close Optimization Project Example Prepared By: David Done - Project Manager Title: John Doe -Project Manager Date: March 17, 2011 Project Plan Approval Signatures

More information

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12 Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General

More information

GTA Board of Directors September 4, 2014

GTA Board of Directors September 4, 2014 GTA Board of Directors September 4, 2014 Our Strategic Vision Our Mission A transparent, integrated enterprise where technology decisions are made with the citizen in mind To provide technology leadership

More information

OFFICE OF THE STATE SUPERINTENDENT FOR EDUCATION Chief Information Office (CIO) Enterprise Licensing and Case Management Initiative Scope of Work

OFFICE OF THE STATE SUPERINTENDENT FOR EDUCATION Chief Information Office (CIO) Enterprise Licensing and Case Management Initiative Scope of Work C.1 SCOPE OFFICE OF THE STATE SUPERINTENDENT FOR EDUCATION Chief Information Office (CIO) Enterprise Licensing and Case Management Initiative Scope of Work The Government of the District of Columbia, Office

More information

WHY DO I NEED A PROGRAM MANAGEMENT OFFICE (AND HOW DO I GET ONE)?

WHY DO I NEED A PROGRAM MANAGEMENT OFFICE (AND HOW DO I GET ONE)? WHY DO I NEED A PROGRAM MANAGEMENT OFFICE (AND HOW DO I GET ONE)? Due to the often complex and risky nature of projects, many organizations experience pressure for consistency in strategy, communication,

More information

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies United States Government Accountability Office Report to Congressional Requesters June 2014 INFORMATION SECURITY Additional Oversight Needed to Improve Programs at Small Agencies GAO-14-344 June 2014 INFORMATION

More information

GAO DATA CENTER CONSOLIDATION. Agencies Making Progress on Efforts, but Inventories and Plans Need to Be Completed. Report to Congressional Requesters

GAO DATA CENTER CONSOLIDATION. Agencies Making Progress on Efforts, but Inventories and Plans Need to Be Completed. Report to Congressional Requesters GAO United States Government Accountability Office Report to Congressional Requesters July 2012 DATA CENTER CONSOLIDATION Agencies Making Progress on Efforts, but Inventories and Plans Need to Be Completed

More information

GAO DEPARTMENT OF HOMELAND SECURITY. Actions Taken Toward Management Integration, but a Comprehensive Strategy Is Still Needed

GAO DEPARTMENT OF HOMELAND SECURITY. Actions Taken Toward Management Integration, but a Comprehensive Strategy Is Still Needed GAO November 2009 United States Government Accountability Office Report to the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, Committee on Homeland

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Customer Account Data Engine 2 (CADE 2): System Requirements and Testing Processes Need Improvements September 28, 2012 Reference Number: 2012-20-122 This

More information

NASCIO EA Development Tool-Kit Solution Architecture. Version 3.0

NASCIO EA Development Tool-Kit Solution Architecture. Version 3.0 NASCIO EA Development Tool-Kit Solution Architecture Version 3.0 October 2004 TABLE OF CONTENTS SOLUTION ARCHITECTURE...1 Introduction...1 Benefits...3 Link to Implementation Planning...4 Definitions...5

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-4000 Network Infrastructure Standard Revision Number: 1.0 Effective

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

Commonwealth of Virginia

Commonwealth of Virginia Commonwealth of Virginia Information Technology Resource Management Standard for PROJECT MANAGER SELECTION and TRAINING Virginia Information Technologies Agency Preface Publication Designation Commonwealth

More information